In-Depth

Take Inventory of SMS 2003

This rev of Microsoft’s desktop management tool has been in the machine shop for three years. Now that it’s nearly here, let’s look under the hood.

IT professionals are used to waiting for Microsoft products, but the three-plus years it’s taken to move from Systems Management Server (SMS) 2.0 to SMS 2.5, now called SMS 2003, is pushing it. After countless late nights, Jolt binges, and multiple metric tons of M&Ms, SMS 2003 is scheduled to touch down at about the same time you read these words.

SMS 2003 may have been a long time in the making, but it isn’t even considered a major revision over SMS 2.0. This is good news for SMS administrators, because while SMS 2003 has a number of new capabilities and benefits, it still looks like—and more or less behaves like—SMS 2.0.

Nonetheless, SMS 2003 is a versatile, multifaceted desktop management tool that performs the challenging task of remotely managing large numbers of Windows PCs with efficiency and power.

Poof! What’s Gone
Let’s start with what is no longer part of the product, as it’s a smaller category than what’s new.

 Crystal Reports. (I don’t hear any wailing over this omission). The obtuse, add-on reporting solution has been replaced by the robust and much easier to use SMS Web Reporting.

 NetWare support. Sorry, Provo, but you just don’t have enough marketshare anymore. (This also means no more IPX site boundaries.)

 Logon points on domain controllers (DC). If you use only the Advanced Client in an Active Directory environment, SMS will leave your DCs alone.

 WINS and network browsing. If you have an all Advanced Client, AD network, and if you choose to extend the AD schema, you can kiss WINS goodbye and disable browsing as far as SMS is concerned.

 Support for Alpha, SQL 6.5, SQL 7.0 pre-SP3, Windows 95, NT Server 3.51 and older. In contrast to the rest of Microsoft, at least SMS 2003 will continue to support NT 4.0!

 80 zillion SMS accounts. With the Advanced Client in AD, SMS 2003 only needs to use computer accounts and local system accounts.

 License enforcement/real-time application monitoring. Software Metering, as you’ve known it before, is dead. No more separate Software Metering servers and database. The new Software Metering is an offline application monitor that actually works.

 SMS Installer. Actually, the SMS Installer still lives on. It’s just no longer included with SMS itself; but it can be downloaded separately.

 Network Monitor. NetMon is still included on the SMS 2003 CD; it’s just no longer an integrated installation option.

 SMS Administrators Guide. This has been replaced by Online Library, including the “Concepts, Planning and Installation Guide.”

 Advertised Programs Manager/ Monitor Control Panels. Look for advertisements under Add/Remove Programs.

Mobile Client Management
Perhaps the most significant change to SMS is the Advanced Client. At one time called the Mobile Client, the Advanced Client is a leaner (but kinder) SMS client that addresses the mobile workforce and runs only on Windows 2000 or above. While it’s optimized for an AD environment, it doesn’t require AD. Developed for roaming users with unpredictable connectivity, it’s also a much improved SMS client solution for desktops. In fact, the Advanced Client is the recommended client for SMS 2003 deployments.

The Advanced Client uses HTTP and XML for communication across the network, consuming less bandwidth. It also takes advantage of BITS (Background Intelligent Transfer Service), a bandwidth-aware protocol that provides byte-level checkpoint restart. Let’s say the Advanced Client gets interrupted during a download or installation of a software package. Instead of having to start all over again when network connectivity resumes, the client picks up where it left off and finishes the processing. Advanced Clients have the option of either running a package from the Distribution Point as SMS clients have always done, or downloading the entire package into cache and executing it locally. Administrators can also designate what percentage of bandwidth should be used for SMS client processes.

Advanced Clients
A new server role called a Management Point (MP) is built to enable Advanced Client communications. A Management Point is analogous to the SMS 2.0 Client Access Point (CAP). Discovery data, inventory data, status messages and advertisement retrieval in the form of SMS “policies” for Advanced Clients are all handled by Management Points. Management Points are only supported on primary sites and require direct access to the SQL Server database. Because Advanced Clients communicate with Management Points via HTTP and XML, MPs require that IIS 5.0 or later to be installed on the machines hosting them. Similarly, Distribution Points will also require IIS 5.0 or higher to support BITS on package distributions.

Another new site system role with an IIS dependency is the Server Locator Point (SLP). SMS 2003 does away with the need to use DCs. Administrators can still choose to use DCs for logon client installation, but now they can decide which DCs to use and can manually populate Netlogon shares with the files to run SMS client installation logon scripts. In place of the Logon Points on DCs, SMS 2003 uses SLPs. If you decide to extend your AD schema, SLPs get published in AD. Otherwise, you must manually configure WINS with SLP information.

SMS 2003's Report Viewer
Figure 1. This screen shows SMS 2003’s built-in Report Viewer with a software inventory report for a single computer. Note that the file path is now included as part of software inventory, a small but priceless addition. (Click image to view larger version.)

Security via Active Directory
Many IT pros might consider SMS security an oxymoron. SMS lets administrators know what’s installed on company desktops, remotely control them and more or less force software to be installed. These are the features that give certain manager types cold sweats and nightmares. To make sure that the SMS environment is safe and secure, Microsoft designed SMS 2.0 with 28 different security account types for specific purposes, guarding against the single point of failure that was in SMS 1.2 with its service-account-as-domain-administrator set-up. In a large environment, this range of accounts types can translate into hundreds of accounts SMS administrators need to track. In many cases, however, only SMS controlled the passwords on these accounts, so account lockouts were common.

In SMS 2003, this security model is still in place and is known as Standard Security. However, a new, improved approach is also available called Advanced Security. Advanced Security requires barely any domain user accounts—a key advantage. So how could SMS go from using hundreds of user accounts to hardly any? Active Directory. In an AD environment, SMS can use computer accounts instead of user accounts. Computer accounts are full security principles in AD. Therefore, you can add them to groups and set access control entries on them. (Tip: If you’re having problems getting a particular domain to work with SMS 2003 with Advanced Security installed, just give the site server’s computer account Administrator-level permissions where you’re having troubles, and odds are everything will magically start working.)

The only requirement for Advanced Security is AD. Because many organizations haven’t migrated to AD, Microsoft designed it so the switch from Standard to Advanced Security in SMS 2003 can be done any time. Just be aware that there is no going back to Standard Security once you’ve upgraded your site.

The Advantages of Tapping AD
While SMS 2003 runs perfectly well without AD, it fully exploits the directory for those who have taken the AD plunge. For instance, site boundaries can be based on AD sites. In an all-AD environment, IP subnet boundaries aren’t even required. Another benefit of AD integration is the ability to discover AD objects and base collections and perform queries and software distributions on them.

SMS 2003 offers three new AD-only discovery methods:

 Active Directory System Discovery, which finds all the computers in your AD sites.

 Active Directory User Discovery, which finds all the users and groups in your AD sites.

 Active Directory System Group Discovery, which finds everything else in your sites that the other two discovery methods didn’t—Organizational Units, containers, domain names and so on.

With this discovery data, SMS admins can query and target AD resources in a granular way (such as finding all the XP systems with IE 5.5 SP2 with less than 256MB of RAM in the Managers child OU of the Sales OU that have been logged onto in the last week by members of the Finance global group).

You may have heard that SMS 2003 requires extending the AD schema. As with Advanced Security and the Advanced Client, extending AD is optional. It provides certain advantages, so I’d heartily recommend extending the schema. I’d also recommend doing so when you install SMS 2003, because it’s a lot easier than extending it later on. The schema extensions allow all clients to automatically find an SLP and allow roaming Advanced Clients to find an MP. These can still be done without the schema extensions, but it’s a manual process and you miss the automation that schema extensions provide.

Systems Management Control Panel
Figure 2. The Systems Management Control Panel for an Advanced Client. The Advanced tab provides local configuration options to accommodate downloading packages to be run locally.

Better Reporting
SMS 2003’s reporting is major step forward. I’m sure there are people who actually like Crystal Reports, which is so complex that it requires its own training programs. (I’ve never met any of these people, but I’m sure they’re out there.) These folks will be disappointed, but the rest of us will be thrilled with SMS Reporting. This reporting tool uses direct queries to the SQL Server databases via IIS, and the reports are viewable with Internet Explorer (5.01 SP2 or higher). SMS Reporting isn’t entirely new. The Web Reporting utility has been a downloadable add-on for more than a year. However, with SMS 2003, the reporting functionality is fully integrated with the SMS Administrator Console, and reports can be launched without having to leave the comfort of the MMC. Nearly 160 reports come pre-installed, but crafting custom reports is a snap. Reports can also be filtered, scheduled, imported and/or exported, and multiple reports can be combined into “dashboards.”

Another benefit of full integration is that reports, like everything else in the SMS Admin Console, have object-level security. This way admins can tweak access to individual reports without having to mess with SQL security. (SMS 2003 administrators will have to bone up on their Transact-SQL skills to take full advantage of the reporting options, but get this: Microsoft is finally publishing and documenting the SMS schema!) And speaking of SQL Server security, a big plus for the SMS 2003 reporting over the Web Reporting utility is that SQL Server can run in integrated security mode.

A new requirement for the reporting functionality is yet another, IIS-based server role—the Reporting Point. A Reporting Point is a server running IIS 5.0 or later where all of the SMS reports are accessed.

Rebuilt Software Metering
Software metering was the least exploited feature of SMS 2.0. It was complicated, cumbersome, processor-and-bandwidth intensive, and in a word, lame. Microsoft threw out the software metering code from SMS 2.0 and rebuilt it for SMS 2003 from the ground up. This feature can now be more aptly called Software Usage Monitoring. The Software Metering is now an off-line recording of what applications are launched on what computers and for how long they’re run. The results of the monitoring are then periodically reported to the site server and stored in the same database as the rest of the SMS data. No separate servers or SQL databases are required. Software Metering data is closely tied to software inventory and reporting. SMS 2003 will even monitor application usage via Terminal Server sessions.

SMS and MOM:
The Road to System Center

Microsoft has two major management products: SMS and Microsoft Operations Manager (MOM). SMS is designed for change and configuration management and targets clients, whereas MOM performs operations management and targets servers. At the moment, SMS relates to Microsoft Operations Manager as if it were “Step Mom”; in other words, there’s not much communication between the two. While MOM can be used to monitor SMS servers, presently there’s not even a MOM Management Pack for SMS. The only thing the two products have in common is the word “manage” as part of their names. All of that will be changing in the next few years as Microsoft intends to merge the two management products, first into System Center Suite, and later into a single offering called System Center.

The first step will be a release of a MOM Application Management Pack for SMS. Next begins the love-in between MOM 2004 and SMS 2003 as part of System Center Suite. The suite will feature:

 SMS and MOM sharing the same, Yukon-based SQL Server database

 Cooperative MMCs or Web-based management consoles

 SMS deployment status forwarded as MOM alerts

 Shared Web-reporting capabilities

 Integrated packaging and licensing

Finally, as System Center, SMS and MOM will become a single product, leveraging additional management capabilities built into the future generation of Microsoft’s server OS, code-named “Longhorn.” It’s all part of a long-range strategy to remain competitive by bringing simplicity, automation and flexibility to IT operations, which, of course, has a name that can be reduced to a three-letter acronym: DSI (Dynamic Systems Initiative). But Microsoft may be missing the boat with DSI. They should consider changing the name of SMS to SIS (Systems Integration Suite) and adding a new product to work with MOM called DAD (Dynamic Administration Dashboard) to have a true family of management products.

—Mark Wingard

Smarter Inventory
While the basic approach to hardware and software inventory hasn’t changed in SMS 2003, some long asked-for enhancements are included. My personal favorite is that the software inventory now includes the path, or location, of the files inventoried. In this same vein, administrators can now direct specific file types to be inventoried in specific locations (for instance, .vbs files in the System 32 folder.) If an organization has conventions about where certain files or applications are stored on desktop systems, SMS 2003 can be directed to search in only those locations instead of the entire hard disk or disks. Compressed and/or encrypted folders can be skipped at the administrator’s discretion. This makes software inventory faster and less processor intensive. Also included is inventorying of Add/ Remove Programs as a default function.

Remote Control
The old, dog-slow, remote control performance has been noticeably improved—but could stand another boost. And for Win2K Server, XP and Windows 2003 clients, there are new remote control options: Terminal Services, Remote Assistance and Remote Desktop. Depending on what the target desktop supports, one or more of these choices will appear as a remote control option in the SMS Admin Console. SMS 2003 remote control security has been modified so remote controllers don’t have to have local accounts on the desktops they’re accessing; they just have to be listed in the Permitted Viewers. And the Administrators group, no matter what it’s called, “Administradores” or “Jrjestelmnvalvojat”, is given default access to the Permitted Viewers.

Ready for the Enterprise
Many other improvements surface in the areas of security, performance (for instance, queries are much faster) and general functionality (the Backup Recovery Wizard is built-in, as is the Software Update Services and Administrator Feature Packs). There are multiple upgrade options (including the Deployment Readiness Wizard, designed to make upgrading bulletproof) and some great new client installation options, as well.

SMS 2003 has something every SMS 2.0 administrator is bound to love. Not only is SMS 2003 feature-rich and robust, it’ll actually work out of the box. It’s been well-tested already. Counting the 30 Rapid Deployment and Early Adopter Program partners, and Microsoft itself, SMS 2003 is already running in production on approximately 125,000 to 150,000 desktops. Due to the long development and beta cycle for this product, SMS 2003 should be one of the most stable new releases Microsoft has ever shipped. For a product once considered dead and buried by Win2K and IntelliMirror, SMS 2003 is remarkably alive and seriously kicking.

Featured

comments powered by Disqus

Subscribe on YouTube